diff --git a/scripts/multi_ldap_change.php b/scripts/multi_ldap_change.php index 4e88bc9f..98109e72 100644 --- a/scripts/multi_ldap_change.php +++ b/scripts/multi_ldap_change.php @@ -24,25 +24,28 @@ foreach ($secondaries_ldap as $s_ldap) { $result = ""; $return = Array(); - $error_code = 1; - $s_ad_mode = false; - $ldap_login_attribute = ""; - $s_ldap_base = ""; - - if (isset($s_ldap['ldap_login_attribute'])) { - $ldap_login_attribute = $s_ldap['ldap_login_attribute']; - } + $s_ldap_url = isset($s_ldap['ldap_url']) ? $s_ldap['ldap_url'] : $ldap_url; + $s_ldap_starttls = isset($s_ldap['ldap_starttls']) ? $s_ldap['ldap_starttls'] : $ldap_starttls; + $s_ldap_binddn = isset($s_ldap['ldap_binddn']) ? $s_ldap['ldap_binddn'] : $ldap_binddn; + $s_ldap_bindpw = isset($s_ldap['ldap_bindpw']) ? $s_ldap['ldap_bindpw'] : $ldap_bindpw; + $s_ldap_base = isset($s_ldap['ldap_base']) ? $s_ldap['ldap_base'] : $ldap_base; + $s_ldap_scope = isset($s_ldap['ldap_scope']) ? $s_ldap['ldap_scope'] : $ldap_scope; + $s_ldap_filter = isset($s_ldap['ldap_filter']) ? $s_ldap['ldap_filter'] : $ldap_filter; + $s_ldap_krb5ccname = isset($s_ldap['ldap_krb5ccname']) ? $s_ldap['ldap_krb5ccname'] : $ldap_krb5ccname; + $s_ldap_network_timeout = isset($s_ldap['ldap_network_timeout']) ? $s_ldap['ldap_network_timeout'] : $ldap_network_timeout; + $s_ldap_login_attribute = isset($s_ldap['ldap_login_attribute']) ? $s_ldap['ldap_login_attribute'] : $ldap_login_attribute; + $s_ad_mode = isset($s_ldap['ad_mode']) ? $s_ldap['ad_mode'] : $ad_mode; # Connect to LDAP $ldapInstance = new \Ltb\Ldap( - $ldap_url, - $ldap_starttls, - isset($ldap_binddn) ? $ldap_binddn : null, - isset($ldap_bindpw) ? $ldap_bindpw : null, - isset($ldap_network_timeout) ? $ldap_network_timeout : null, - $ldap_base, + $s_ldap_url, + $s_ldap_starttls, + isset($s_ldap_binddn) ? $s_ldap_binddn : null, + isset($s_ldap_bindpw) ? $s_ldap_bindpw : null, + isset($s_ldap_network_timeout) ? $s_ldap_network_timeout : null, + $s_ldap_base, null, - isset($ldap_krb5ccname) ? $ldap_krb5ccname : null + isset($s_ldap_krb5ccname) ? $s_ldap_krb5ccname : null ); $ldap_connection = $ldapInstance->connect(); @@ -51,27 +54,17 @@ $result = $ldap_connection[1]; if (!$ldap) { - fwrite($log_file, "Error code: $result"); + fwrite($log_file, "LDAP $s_ldap_url - Error code: $result\n"); } else { # Search for user - if (isset($s_ldap['ldap_filter'])) { - $s_ldap_filter = $s_ldap['ldap_filter']; - } else { - $s_ldap_filter = $ldap_filter; - } $s_ldap_filter = str_replace("{login}", $login, $s_ldap_filter); - if (isset($s_ldap['ldap_base'])) { - $s_ldap_base = $s_ldap['ldap_base']; - } else { - $s_ldap_base = $ldap_base; - } - $search = $ldapInstance->search_with_scope($ldap_scope, $s_ldap_base, $s_ldap_filter); + $search = $ldapInstance->search_with_scope($s_ldap_scope, $s_ldap_base, $s_ldap_filter); $errno = ldap_errno($ldap); if ( $errno ) { $result = "ldaperror"; - fwrite($log_file, "LDAP - Search error $errno (".ldap_error($ldap).")"); + fwrite($log_file, "LDAP $s_ldap_url - Search error $errno (".ldap_error($ldap).")\n"); } else { # Get user DN @@ -83,40 +76,33 @@ if( !$userdn ) { $result = "badcredentials"; - fwrite($log_file, "LDAP - User $login not found"); + fwrite($log_file, "LDAP $s_ldap_url - User $login not found\n"); } else { $entry = ldap_get_attributes($ldap, $entry); $entry['dn'] = $userdn; # Bind with manager credentials - if ( isset($s_ldap['ldap_binddn']) && isset($s_ldap['ldap_bindpw']) ) { - $bind = ldap_bind($ldap, $s_ldap['ldap_binddn'], $s_ldap['ldap_bindpw']); - } else if ( isset($ldap_binddn) && isset($ldap_bindpw) ) { - $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw); + if ( isset($s_ldap_binddn) && isset($s_ldap_bindpw) ) { + $bind = ldap_bind($ldap, $s_ldap_binddn, $s_ldap_bindpw); } if ( !$bind ) { $result = "badcredentials"; $errno = ldap_errno($ldap); if ( $errno ) { - fwrite($log_file, "LDAP - Bind user error $errno (".ldap_error($ldap).")"); - } - if (isset($s_ldap['ad_mode'])) { - $s_ad_mode = $s_ldap['ad_mode']; - } else { - $s_ad_mode = $ad_mode; + fwrite($log_file, "LDAP $s_ldap_url - Bind user error $errno (".ldap_error($ldap).")\n"); } if ( ($errno == 49) && $s_ad_mode ) { if ( ldap_get_option($ldap, 0x0032, $extended_error) ) { - fwrite($log_file, "LDAP - Bind user extended_error $extended_error (".ldap_error($ldap).")"); + fwrite($log_file, "LDAP $s_ldap_url - Bind user extended_error $extended_error (".ldap_error($ldap).")\n"); $extended_error = explode(', ', $extended_error); if ( strpos($extended_error[2], '773') or strpos($extended_error[0], 'NT_STATUS_PASSWORD_MUST_CHANGE') ) { - fwrite($log_file, "LDAP - Bind user password needs to be changed"); + fwrite($log_file, "LDAP $s_ldap_url - Bind user password needs to be changed\n"); $who_change_password = "manager"; $result = ""; } if ( ( strpos($extended_error[2], '532') or strpos($extended_error[0], 'NT_STATUS_ACCOUNT_EXPIRED') ) and $ad_options['change_expired_password'] ) { - fwrite($log_file, "LDAP - Bind user password is expired"); + fwrite($log_file, "LDAP $s_ldap_url - Bind user password is expired\n"); $who_change_password = "manager"; $result = ""; } @@ -128,10 +114,8 @@ # Rebind as Manager if needed if ( $who_change_password == "manager" ) { - if ( isset($s_ldap['ldap_binddn']) && isset($s_ldap['ldap_bindpw']) ) { - $bind = ldap_bind($ldap, $s_ldap['ldap_binddn'], $s_ldap['ldap_bindpw']); - } else if ( isset($ldap_binddn) && isset($ldap_bindpw) ) { - $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw); + if ( isset($s_ldap_binddn) && isset($s_ldap_bindpw) ) { + $bind = ldap_bind($ldap, $s_ldap_binddn, $s_ldap_bindpw); } } @@ -139,19 +123,14 @@ # Change password #============================================================================== if ( !$result ) { - if (isset($s_ldap['ad_mode'])) { - $s_ad_mode = $s_ldap['ad_mode']; + $result = change_password($ldapInstance, $userdn, $newpassword, $s_ad_mode, $ad_options, $samba_mode, $samba_options, $shadow_options, $hash, $hash_options, 'manager', $oldpassword, $ldap_use_exop_passwd, $ldap_use_ppolicy_control, false, ""); + if ( $result !== "passwordchanged" ) { + fwrite($log_file, "Change on $s_ldap_url: KO\n"); } else { - $s_ad_mode = $ad_mode; - } - $result = change_password($ldapInstance, $userdn, $newpassword, $s_ad_mode, $ad_options, $samba_mode, $samba_options, $shadow_options, $hash, $hash_options, 'manager', $oldpassword, $ldap_use_exop_passwd, $ldap_use_ppolicy_control, false, ""); - if ( $result !== "passwordchanged" ) { - fwrite($log_file, "Change on '".$s_ldap['ldap_url']." : KO\n"); - } else { - fwrite($log_file, "Change on '".$s_ldap['ldap_url']." : OK\n"); - } + fwrite($log_file, "Change on $s_ldap_url : OK\n"); } } + } }}} }